sparse-intern-71089
09/20/2023, 8:42 AMbumpy-glass-30283
09/20/2023, 10:09 AMgorgeous-vegetable-27176
09/20/2023, 10:25 AMadventurous-butcher-54166
09/21/2023, 10:37 AMIdentity
parameter to SystemAssigned
in web.*NewWebApp*
so that the App Service has a managed identity which can be authorized to pull from the Registry
• Under SiteConfig on the App Service resource Set AcrUseManagedIdentityCreds
to pulumi.*Bool*(true)
so that the App Service knows you want to use managed ID for authenticating against the registry
• Then create a Role Assignment to assign the AcrPull
role to the managed identity. Sharing the Python code I use for that - which you could adjust to work in your Go project - see docs for authorization.RoleAssignment
def webapp_acrpull_role(name, web_app, registry):
"""Add identity to registry allowing web app to pull images"""
return (
authorization.RoleAssignment(
name,
principal_id=web_app.identity.principal_id,
principal_type="ServicePrincipal",
role_definition_id="/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
scope=registry.id,
opts=pulumi.ResourceOptions(
parent=web_app, ignore_changes=["principal_id"]
),
)
if registry is not None
else None
)
gorgeous-vegetable-27176
09/21/2023, 1:51 PM